Skip to content

Client Credentials

Jump to bottom Edit New page
Joseba Juániz edited this page Sep 14, 2015 · 10 revisions

Overview

It's a grant type used when the client request access to the OAuth2 resource server using only the client credentials (Client id and client secret password in case it's not a public client) to request for an access token.

This grant it's adecuated for machine-to-machine authentication and should only accept trusted clients.

Use Cases

  • Machines or cronjobs performing maintenance tasks over API.
  • Service calls.
  • Calls on behalf of the user who created the client.

Default configuration

Default variables:

  • allow_credentials_in_request_body By default it's TRUE. Will define if the system will look for credentials in the POST body in addition to the Authorize HTTP Header.

Default parameters:

  • grant_type: "client_credentials"

  • client_id: The defined client string id in your system.

  • client_secret: Optional, password only required if client it's not public.

You can use this parameters in the body of a POST method call or send the "client_id" and "client_secret" in the authentication header (if so, please read first the Apache Modrewrite section).

Default Storage

By default the library will use the main module PDO storage which will be pointing to the database table oauth_clients accessing the following fields:

  • client_id: (string, required) String credentials that will be used to identify the client.

  • client_secret (string, optional) Field that, if not null, will mark that client as a "non public" and make its use as required. This serves as a password field to improve the security access for specific tasks in the resource servers, like CRUD or accessing vital information.

  • grant_types (string, required) Granting types that the system will allow for that client separated by the space char. Must have the client_credentials string if you want to be able to use this granting type for this client.

  • scope (string, optional) Scopes in which the client will have access in the resource servers. There can be several defined at the same time, each of one must be separated by the space char.

  • user_id (integer, optional) Id linked to the user id of your system (in case you have a defined user management application). This way it's a simple task to link Clients with their respective users.

There are more fields in the table, but they are used by other granting types.

Example Token Request

To make a token request you must send a POST method call.

Using HTTP Authentication

curl -u testclient:testpass https://api.example.com/token -d 'grant_type=client_credentials

Using POST BODY

curl https://api.example.com/oauth2/token -d 'grant_type=client_credentials&client_id=testclient&client_secret=testpass'

Extending the storage behavior

(how to make a model to change the regular storage)

Example request

Add a custom footer

  1. Introduction

  2. Basic Installation

  3. [Configuration Options] (https://github.com/Patroklo/yii2-oauth2-server/wiki/Configuration-Options)

  4. Apache ModRewrite

  5. Glossary

  6. Grants

6.1. Authorization Code

6.3. Password

6.4. Client Credentials

Clone this wiki locally